Describe the bug
There is a severe Path Traversal vulnerability in src/agents/feature/feature.py within the save_code_to_project function. The application extracts the filename directly from the LLM's response (file['file']) and concatenates it using os.path.join() without any path sanitization or boundary checks.
If an attacker injects a malicious payload (e.g., via socket communication / prompt injection) that forces the model to output a filepath containing ../ sequences or absolute paths, os.path.join() will resolve the path outside the intended project directory. The subsequent open(..., "w") operation will blindly overwrite arbitrary files on the host system, leading to severe environment destruction or potential Remote Code Execution (RCE).
How To Reproduce
Steps to reproduce the behavior (example):
-
Send a crafted payload via the socket communication interface that forces the LLM to output a Markdown block with a directory traversal path. For example:
File: ../../../../../../root/.ssh/authorized_keys:
-
The validate_response function parses this and sets file['file'] to ../../../../../../root/.ssh/authorized_keys.
-
The save_code_to_project function executes:
os.path.join(self.project_dir, project_name, "../../../../../../root/.ssh/authorized_keys")
-
os.makedirs and open(..., "w") execute, escaping the workspace and overwriting the host's critical files.
Expected behavior
The application must validate and sanitize the extracted file['file'] before writing it to the disk. It should ensure that the final resolved absolute path strictly resides within the intended project workspace.
Screenshots and logs
Note: Discovered via static code analysis, so runtime logs are not applicable. Vulnerable code snippet in src/agents/feature/feature.py:
def save_code_to_project(self, response: List[Dict[str, str]], project_name: str):
# ...
for file in response:
# [!] VULNERABILITY: No path validation before os.path.join
file_path = os.path.join(self.project_dir, project_name, file['file'])
file_path_dir = os.path.dirname(file_path)
os.makedirs(file_path_dir, exist_ok=True)
# [!] Arbitrary file overwrite
with open(file_path, "w", encoding="utf-8") as f:
f.write(file["code"])
Additional context
Recommended Fix:
Implement strict path boundary validation before performing any file operations.
base_path = os.path.abspath(os.path.join(self.project_dir, project_name))
Resolve the absolute path of the target file
file_path = os.path.abspath(os.path.join(base_path, file['file']))
Security assertion: ensure the target path is strictly within the base_path
if not file_path.startswith(base_path + os.sep):
raise PermissionError("Path traversal attempt detected!")
Describe the bug
There is a severe Path Traversal vulnerability in src/agents/feature/feature.py within the save_code_to_project function. The application extracts the filename directly from the LLM's response (file['file']) and concatenates it using os.path.join() without any path sanitization or boundary checks.
If an attacker injects a malicious payload (e.g., via socket communication / prompt injection) that forces the model to output a filepath containing ../ sequences or absolute paths, os.path.join() will resolve the path outside the intended project directory. The subsequent open(..., "w") operation will blindly overwrite arbitrary files on the host system, leading to severe environment destruction or potential Remote Code Execution (RCE).
How To Reproduce
Steps to reproduce the behavior (example):
Send a crafted payload via the socket communication interface that forces the LLM to output a Markdown block with a directory traversal path. For example:
File:
../../../../../../root/.ssh/authorized_keys:The validate_response function parses this and sets file['file'] to ../../../../../../root/.ssh/authorized_keys.
The save_code_to_project function executes:
os.path.join(self.project_dir, project_name, "../../../../../../root/.ssh/authorized_keys")
os.makedirs and open(..., "w") execute, escaping the workspace and overwriting the host's critical files.
Expected behavior
The application must validate and sanitize the extracted file['file'] before writing it to the disk. It should ensure that the final resolved absolute path strictly resides within the intended project workspace.
Screenshots and logs
Note: Discovered via static code analysis, so runtime logs are not applicable. Vulnerable code snippet in src/agents/feature/feature.py:
def save_code_to_project(self, response: List[Dict[str, str]], project_name: str):
# ...
for file in response:
# [!] VULNERABILITY: No path validation before os.path.join
file_path = os.path.join(self.project_dir, project_name, file['file'])
file_path_dir = os.path.dirname(file_path)
os.makedirs(file_path_dir, exist_ok=True)
Additional context
Recommended Fix:
Implement strict path boundary validation before performing any file operations.
base_path = os.path.abspath(os.path.join(self.project_dir, project_name))
Resolve the absolute path of the target file
file_path = os.path.abspath(os.path.join(base_path, file['file']))
Security assertion: ensure the target path is strictly within the base_path
if not file_path.startswith(base_path + os.sep):
raise PermissionError("Path traversal attempt detected!")